Comments on: Worpress 2.7.1 wp-comments-post.php XSS exploit http://securitygyan.com/2009/05/03/worpress-271-wp-comments-postphp-xss-exploit/ World of information security Sun, 30 Jan 2011 09:36:30 -0800 hourly 1 http://wordpress.org/?v=3.1 By: Dolly http://securitygyan.com/2009/05/03/worpress-271-wp-comments-postphp-xss-exploit/comment-page-1/#comment-804 Dolly Mon, 15 Feb 2010 00:08:11 +0000 http://securitygyan.com/?p=56#comment-804 Interesting, did you plan to continue this article? <a href="http://www.getwartool.com/" rel="nofollow">Dolly</a> Interesting, did you plan to continue this article?
Dolly

]]> By: Tak http://securitygyan.com/2009/05/03/worpress-271-wp-comments-postphp-xss-exploit/comment-page-1/#comment-800 Tak Thu, 07 Jan 2010 17:29:39 +0000 http://securitygyan.com/?p=56#comment-800 nice detection man.. i was also find some xss vul's. okay keep it up nice detection man..
i was also find some xss vul’s.
okay keep it up

]]> By: LeraJenkins http://securitygyan.com/2009/05/03/worpress-271-wp-comments-postphp-xss-exploit/comment-page-1/#comment-37 LeraJenkins Tue, 23 Jun 2009 08:03:23 +0000 http://securitygyan.com/?p=56#comment-37 Clever things, speaks) Clever things, speaks)

]]> By: Vikrant http://securitygyan.com/2009/05/03/worpress-271-wp-comments-postphp-xss-exploit/comment-page-1/#comment-11 Vikrant Mon, 04 May 2009 16:57:21 +0000 http://securitygyan.com/?p=56#comment-11 Hi, Good finding.Keep the good work up. Wish you all the best Vikrant Hi,

Good finding.Keep the good work up.

Wish you all the best

Vikrant

]]> By: WordPress Codex http://securitygyan.com/2009/05/03/worpress-271-wp-comments-postphp-xss-exploit/comment-page-1/#comment-10 WordPress Codex Mon, 04 May 2009 15:33:50 +0000 http://securitygyan.com/?p=56#comment-10 Only users with the <a href="http://codex.wordpress.org/Roles_and_Capabilities#unfiltered_html" rel="nofollow">unfiltered_html capability</a> can post unfiltered HTML markup or even Javascript code in pages, posts, and comments. By default <a href="http://codex.wordpress.org/Roles_and_Capabilities#Capability_vs._Role_Table" rel="nofollow">only the users in the roles admin or editor have this capability</a> therefore there is no security bug at all cause only admins or editors (which are the two most highest roles in wordpress -by default-) and this users need to have this capability otherwise this users will be very limited specially cause they are normally the blog owners or well take a huge role on the wordpress powered site. Regards Only users with the unfiltered_html capability can post unfiltered HTML markup or even Javascript code in pages, posts, and comments.

By default only the users in the roles admin or editor have this capability therefore there is no security bug at all cause only admins or editors (which are the two most highest roles in wordpress -by default-) and this users need to have this capability otherwise this users will be very limited specially cause they are normally the blog owners or well take a huge role on the wordpress powered site.

Regards

]]>